« Tech Ed Session Update | Main | Tech Ed Europe Announcement »
April 28, 2005
Common Questions about Certificate Templates
In the Windows Server 2003 PKI, there are two different types of certificate templates that you can work with. Version 1 certificate templates are certificate templates that also existed in the Windows 2000 PKI and can only have their permissions modified. You cannot change the content of the certificate (the format of the subject, the lifetime of the certificate, the uses of the certificate, etc.). You can, however, duplicate these version 1 templates, creating what is known as a version 2 certificate template. A version 2 certificate template allows you to modify the content and the permissions of the certificate template. It is impossible to create a version 2 certificate template from scratch. You must duplicate an existing version 1 or version 2 certificate template, so choose a certificate template that is close to the functionality that you require.
A version 2 certificate template can only be issued by an enterprise CA running on Windows Server 2003, Enterprise Edition. The most common mistake that I see is that the customer is trying to issue the version 2 certificate templates by an enterprise CA running Windows Server 2003, Standard Edition. The Standard Edition server is hard-coded to *not* issue version 2 certificate templates.
In addition, Windows Server 2003, Standard Edition should not be confused with a Windows Server 2003 standalone CA. A standalone CA, whether it is running on Windows Server 2003, Standard Edition or Windows Server 2003, Enterprise Edition does not use certificate templates at all when it issues certificates. Instead, the certificate content is based entirely on the information provided in the certificate request.
You can perform the editing of certificate template from any Windows XP or Windows Server 2003 domain member computer, as long as you are logged in as a user that is assigned the Read and Write permissions for the specific template. To create new templates, you must be assigned Full Control permission to the CN=Certificate Templates, CN=Public Key Services, CN=Services, CN=Configuration,ForestRootDomain container and the CN=OID, CN=Public Key Services, CN=Services, CN=Configuration,ForestRootDomain container.
Finally, when you attempt to enroll the version 2 certificate template, there are some restrictions on how you enroll them:
- Only users at Windows XP and Windows Server 2003 computers can enroll certificates based on version 2 certificate templates using the Certificate Request Wizard (from the Certificates MMC).
- Users with Windows 2000, Windows XP, and Windows Server 2003 client computers can enroll version 2 certificate templates using the Certificate Enrollment Web Pages
- All client operating systems (Windows 98 and higher) can enroll certificates based on version 2 certificate templates by using scripting.
HTH,
Brian
Posted by at April 28, 2005 06:50 PM